2015 11 11 BPF Establishing and supporting computer security incident response teams (CSIRTs) Workshop Room 6

The following are the outputs of the real-time captioning taken during the Tenth Annual Meeting of the Internet Governance Forum (IGF) in João Pessoa, Brazil, from 10 to 13 November 2015. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

>> Good morning, everyone.  Thank you for coming here to this session.  My name is Christine Hoepers, I'm one of the lead experts of the best practice forum on establishing and supporting computer Internet response teams.  The other lead experts that worked in the past year were Maarten van hornen beak, and wout denaturist.  He's helping us get our ideas into something that will be an output of this process.  So he's the United Nations consultant that is helping us here.  Just for us to haven't an idea of the session today.  I will do some introductions that are really to sum up for people who did not attend the session last year or that are a little new to the process, were not on will mailing list.

What were the best practices for 2014 and what were the topics we focused on this year and why we focused on these topics.  We have a few panelists here that will provide some feedbacks on the report, and will work with us to start with some ideas for further discussion and then we will open for the floor and to have more feedback from the audience.

So as I said, just as a recap and introduction, I would like to first do a recap on the 2014 recommendations.  These are all on the report that is online for review, but I just wanted to know that last year, one of the topics that was discussed a lot and was deemed to be further expanded was to work a little bit on clarifying the misconceptions of functions of CSIRTs.  A lot of questions was on expectations of what CSIRTs do.  Sometimes you have people with not an understanding of what they do or they produce something different, that security information teams do.

A lot of discussion last year involves sharing, privacy sensitive data.  So there was need to discussing this topic more.  There was some discussion also for need and the call for countries to have a national point of contact or a CSIRT of last resort.  That would be a point where you don't know exactly who to call when you have a security incident.  Could you have a point of contact in a country that would help people with the incident.

Privacy and free speech.  There was a lot of discussion on concerns on how far the works of CSIRTs could impact free speech or in what ways CSIRTs could improve privacy and free speech.  There was the need for implementation of good standards.  This was a lot of discussion of cooperation with law enforcement and other regulatory agencies and what were the tradeoffs and how far that would go.

It was, of course, recognized that training and participation in international meetings is key for building trust, and for for this trust, it fosters communication.  And it there was a cull to provide information on CSIRT corporation.  And from last year, we are very happy that we had what I would call an unintended consequence of the report, is that the best practice forum report from last year was actually used by the government of Serbia as April input and as a guidance to build their national SIRT and how to build their national cybersecurity strategy.

It's one of the examples of how the work we are doing here and how we can impact communities and can impact policy and can actually, everyone here provide feedback on how we move forward on the security of the Internet and the work of the incident response teams.

So as I finish this recap, I just wanted to give a little bit    it's really a brief summary of the key discussions on the mailing list and on of the key points that are addressed on the report.  So I'm not going to read the report here, and it's also not our intention here today to be discussing paragraphs and wording, because that could be done through the review platform.  That do be done through the mailing list.  This is a summary of some of the points that got more debate and we could have more input.

And if anyone wants to follow the document and see, it's still in the review platform.  But actually, it's not on the table of contents.  So you actually need to go specifically for the tags, CSIRT, you have to get the latest version or to the mailing list and get the URL.

So on the early conference calls and discussions on the mailing list, one of the conclusions the whole group came is that we had too many topics to move forward coming from last year, and one of the things that everyone noticed is that actually, even subtopics that we were discussing like CSIRTs and privacy and policy, actually would be part of a misconception around the role and the responsibilities of computer security incidents response team.  So the forum, the consensus of this forum as to have this overarching team of misconacceptions around the role and the responsibilities of CSIRTs and that actually included other teams that includes CSIRTs and privacy, policy, policy making and CSIRTs and how CSIRTs could influence policymakers and how policymakers had a need to understand better what a technical community does in the CSIRT area.  This was a lot of discussion on supply chain approaches to cybersecurity, that is actually how to get everyone involved from the development to the deployment to the maintenance of any system, into security and how to involve everyone into this phase.

We had three case studies submitted from Switzerland, Netherlands and Korea, and the report itself and the discussion was drive by a questionnaire that was sent out to several communities.  This questionnaire is in the annex one of the report, but I'm not going to repeat all the questions here. 

And before we go into the contributions from our panelists, I thought it was beneficial for everyone in the room, and remotely connected to just make a summary of the main themes that we have discuss.

I think the number one conclusion and the consensus of the teams is that defining what is the role and what is the purpose of a computer Internet incident response team has been the concern of various parties.  We have especially governments and other organizations needing to have a better understanding on what are the limits and what is the effectiveness and what are the tradeoffs depending on what to do and more and more, we have CSIRTs having a role into defending economies, defending national security, as well as citizens.  So there's a lot of changes on this role too.

And, of course, this has an implication for the constituency, for trust and cooperation, because CSIRTs have been pretty much technical people to help and they are now being called to provide input into policies and sometimes working together with law enforcement with some security agencies and that has been very big debate on how that would strain trust amongst the CSIRTs, each other and the cooperation.  And there was this also consensus of people who spoke about that, that it's very important for CSIRTs to help to educate, to help bring the word of how we can improve information security, how we can better handle incidents and how we can detect problems to policy making and to try to influence for us, who have better policies overall on the Internet.

And there is also a consensus about the privacy debate, at least for the people that participated in the discussions, that CSIRTs are actually key for keeping privacy for the citizens and are key for actually as we put here, custodians of privacy, because more and more we have computer security incident response teams trying to act fastly, when we have data breaches, when we have security problems that could lead to privacy concerns for citizens, and we have more and more CSIRTs working to detect infected machines to detect computers that could be extraneous data and could be affected by attacks that would hinder the privacy of the citizens and they are working to act fast before major consequences take place.

And there was a lot of discussion too, about how cybersecurity can benefit cooperation between all the areas of IT and law enforcement and this was really more raising awareness than a tradeoff and you need to identify how far the cooperation goes and for that not to be considered something that would damage the trust on the team.

There was also another discussion about the disclosures that have been treated in other forums and CSIRTs should be involved in that, in terms of how you deal responsibility with helping this whole software community in that area.

This was a summary, I think it would be nice for everyone to be on the same page here and would set the scene for the contributions from our panel, and actually, I would really like to start calling now the panelists to contribute.  And I would like to start with Mr. Maarten van Horenbeeck.  Mr. Maarten?

>> MAARTEN VAN HORENBEECK: Thank you.  I think it is very important topic for all African countries, the issue of cybersecurity.  As you know, in Africa, we face several challenge.  The first is the low capacity in that there is an increase in our system.  But in the majority of the country, a low technical and human capacity on IT skills.

And we have also a proliferation of center.  We have low user of the regulation.  The regulation is not very well done in several African country.

Also we have the lack of protection mechanism at the regional level because cybersecurity is not now a national issue.  It becomes a regional and continental issue.  We had to put something in place before this goes to the regional.

Also, in terms of awareness, it is very limited.  Yeah.  When you discuss with your government, a lot of government are not aware on the issue in terms of national sovereignty.  It's very necessary for the government to be aware of our awareness campaign.

We need to involve the young graduate on the issue of cybersecurity and they are not involved in a lot of country.

While I think the report is very interesting for us at United Nations economic commission Africa, to improve or support to members country.  We supported African country and the regional community and also the African country to put in IGF strategy and to set up a national reporting center and also at the regional level.

We also ask African countries to develop this African convention on cybersecurity.  We work also to develop the subregional, we will echo the African community and the ECOSOC, and west Africa.

Now what we can bring on the table with this report is now for Africa, we have some    we have some African country who already have established this.  I can give you some example from Tunisia.  You have Nigeria, South Africa, but now for other    the first question is how to build or to create a CSIRT at the national level?  It's a one important question.  We can discuss about the technical issue, hmm?  If the user can trust to this, what kind of capacity they need and what kind    very important the cooperation.  It's very important.  At the national level, it is government and also we view it as a country and the country is as a CSIRT.  So the cooperation is very important.

I have also what kind of resources do we need?  The efficiency of the resources working in the CSIRT is very important in the linking of the capacity of the country.  Did we have the right persons in Africa to be faced to the challenge of a CSIRT.  There's some question we can bring on the table and I think the report will    can go more on what the mechanism to generalize the CSIRT.

If they start going to work free of charge, we are going to generate their own resource and what is the role of the government of the partner and of the sector    the private sector to deal with this CSIRT.  I think it's very helpful for us if in the report you can highlight maybe for the 2015 report and we already to contribute with the experience we have at the continental level.

Thank you.  I'm going to stop at this time.  If there is any question, I can come back.  Thank you. 

>> CHRISTINE HOEPERS: Thank you, very much.  So I would like to give the floor to Audrey Plank.

>> Audrey:  Thank you, Chris teach.  Good morning, everybody.  I'm at Intel now.  I have been for seven years but before that I was in the part of the US government that houses the US CERT.  So I have worked with Christine for a long time on CSIRT relationship.  Why would you have Intel here, it's maybe a good question. 

I just want to commend the effort of the group and the birds of a feather session last year to put together the report.  I think it raises some very important topics.  I think I will focus my comments on the sort of data processing and privacy aspects of this, because it's an issue that I think has evolved over time, over the years in terms of the kind of datas that CSIRTs have access to what they do with, it how they process and who they share it with.

And so are one of the key important roles that CERTs play is to share information with    with each other, across national borders, with the private sector, and within the government, you know, usually a CERT will sit will be an agency, like CERT BR is in the registry here in Brazil but it will also need to share information with other aspects of the Brazilian government to help different ministries and departments secure their systems.

And so the sharing of information between CERTs from CERTs to the private sector, to CERTs within the government is a critical role that they play.  And national laws and jurisdictions around both data protection and privacy, as well as other issues like public access to information, national security laws, surveillance laws and other things have an impact on a nation's state's view of data and privacy and how the information is processed.

So I think I completely agree with the report's points about the fact that without CSIRTs, you won't be able to promote privacy, whatever your definition of privacy is.  And that they are critical to achieving the goal of protecting people and users.  Also I completely agree with the concept that security and privacy are not some set of tradeoffs that you have to constantly make, that really it's more of a balance where if you want more security, and more privacy, or if you want more privacy, you have to add more security.  If you want more security, you have to add more privacy.  So it's often characterized that you have to give some privacy up in order to get security and I think    I think that's an unhelpful way of thinking about it because without the security aspects you won't achieve the privacy.  Now, that's not to say that there are challenges around negotiating around the kind of information that needs to be shared in order to analyze systems, to understand malware behavior and to protect users.

It's not to say that there are not privacy and data protection concerns related there, that need to be dealt with.  Characterizing them as mutually exclusive problems is not helpful and I think the report does an excellent job of pointing that out.  And then the other thing I would say in response to the report, that the concept, the recommendation that or the idea that I think the report puts forward about could we move from talking about privacy, which is a general context about    that applies to many aspects of one's life and environment, not necessarily technology or the Internet, to moving to talk more about data protection which is much easier to be defined in laws and people can get their head around it a little bit more when they are talking about data processed by CSIRTs, I think that's a very good recommendation, not because privacy is not a concept that we all care about, but because in the context of CSIRTs, it's very hard to put an operational organization in the role after making societal and cultural jumpments about expectations of privacy which are not    it's not a reasonable mace for an operational organization like a CSIRT to sit.  Those discussions and those debates can be informed by the kind of data the CSIRT has access to, how it needs to be shared and how to bill those sharing relationships.

That can inform policies and processes that more broadly think about policy.  The report points out it's more of a challenge in that space.  Just two more quick comments on the revolution of CSIRTs over time and the challenges.  Just looking back at the experience in the United States, in 2003, or 204, when we first established a government, a really    a government CERT with an external facing role, meaning a CERT that was responsible for working with the private sector and working with other CERTs, you know, quickly privacy issues were raised and processes started to be put in place for doing privacy impact assessments on the processing and the data and the things like that.  And I think that as the complexity of the technology and of the ecosystem has increased, there has been more and more debate about, certainly in the US and I know in other countries, about how the private sector should share information with government for the purposes of analyzing malware and solving technical solutions to either incidents like real life incidents or, you know, ongoing research around malware.

And I guess I could talk about that for a very long time but I will give it back to Christine just to say that I think that the    it's become a much    it's no longer just oh, do we have a privacy law.  There are many other aspects of a country's legal system and framework that has an impact on that.

As I mentioned freedom of information laws in many countries, the public has the right to request information from the government that may otherwise not be made public or available.  And that has some implications on the kind of data that certificates would share with the private sector or the kind of information that the prive a sector would share with CERTs.  So when thinking about the CERT role with regard to processing data and privacy, I think it's important to step back from the world.  We need to understand the best way to address the    whatever the issue is and advance sort of the policy solutions there.

>> CHRISTINE HOEPERS: Thank you very much, Audrey.  I would like now to call Mr. Taylor Roberts from the global cybersecurity center.  So Mr. Taylor.

>> TAYLOR ROBERTS:  Thank you very much for having me up here.  I do just want to say that I am not directly involved in a CERT.  I'm actually one of those social scientists that some people flinch at.  So do take my commentary with a slight grain of salt.  I warmed to make one content related and two broader items that I hope we can address.

At one point in the report, there's a discussion on the clash of cultures and that sort of on the one hand, you have demand for protection on economic and Internet values, the ability to engage dynamically and the ability to tinker and develop new technologies, and we are putting it on the one hand and on the other hand, it makes them seem like they are oppositional ideas.  I think there might be evidence to have a positive relationship between the pursuit of these values.  That's the pursuit of economic and national security values, that if approached dynamically we could provide opportunities for this ability to tinker and be flexible.  So just making sure that they are not necessarily oppositional cultures in that respect.

And I do want    here's the second point that I wanted to make is that are we actually beginning to observe sort of clustering in the evolution of CERT functionality?  So, for example, at one point they said in the report that there is sort of three emerging themes that are sort of popping up and if anyone is following along in the report, that    those three things are brought up in paragraph 84.  So you got on the one hand, the government wants to have an increased role of the CERT, where they sort of have taken a crucial capacity for the wider nation.  On the other hand, you have these sort of technical community that wants to make sure that these CERTs have a limited role to respond to incidents and then on the other hand, have this relatively new engagement with the private sector.

And so are we actually beginning to see that CERTs are sort of clustering around these different values in terms of what they want CERT to be.  If that's the case, then I think they can have some statistical collectability and then nuanced understanding of what the effectiveness of a CERT would be.  One of my colleagues is looking at metrics for measuring success and effectiveness in CERTs and wile those are very, very broad, it's actually one way of potentially clearing up some mis conceptions about what the role is.  If you are able to understand how the CERT achieves its mission, then you might be able to more clearly demonstrate to others, you know, what exactly its role is relative to others.

I also think it would help with the sort of throwing a CERT at it problem that the SWITCH CERT in Switzerland addresses, that it's my work in cyber capacitying building we see, CERT will be all the cybersecurity fix in the country and we will let it take the role for everything and that may not be the necessary role for that institution.

And if we are not observing this clustering where we are seeing government wants this and the private sector has a different role.  Then I think it might be useful to develop a document that highlights sort of lessons learned in the evolutionary process of a CERT.  And sort of how, I think that it would see that the trends may not be uniform.  You may not see these clustering necessarily, but if you can see the nuances and shifting functionality of these CERTs it would hem mutual understanding and as our colleague from the UN pointed out, maybe help actually establish these CERTs so that they can take advantage of what existing CERTs have already done.

And finally, I want to make one last question and the overall impression I get from this report is that you are starting to see a shift away from the T in CERT, which is being "team" and towards more of an "I" meaning institution.  I think the connotation, particularly the team, a team is a little bit more informal, a little bit more dynamic and able to adapt to manage incidents effectively.

And that's actually important when being able to mitigate the high integration level of threats.  If there's an institution of CERTs, how can we embrace the positive aspects that being the sustainability of CERTs without losing the benefits and trust that being a team denotes?  And that's    I think I will leave it at that. 

>> CHRISTINE HOEPERS: Thank you very much, Mr. Taylor.  And just to clarify, to the panelists that's when we invited the panelists it was on purpose that we tried to bring people that are not technical people and they are not working in a CERT right now.  So it's because, I think, the most valuable feedback is the feedback for people that are from outside to kind of bring to us exactly what's happening, less misconceptions and privacy and have this balance.  So it's really 9 main purpose of here and of this session to get the feedback of everyone.  So even people that did not participate during the year in the mailing list and all the discussions, we really want to hear especially the feedback for people that are not working in the day to day of a CERT.

So I think we are succeeding right now that it's really to have this outside from the community views on what we do.

And I would like then to pass to Mr. Thomas Lomono wski for his feedback here.

>> Thomas.  Thank you very much.  It's a pleasure to be on this panel and to share our experiences and our views on both paper, but also generally on the CERT development and the needs.

So you know, just for the ones that are newer to our work, why are we here and what are we doing in this framework?

Under our cybersecurity activities, we have been coping with our Member States, which is all states of the world, to try to set up CERTs and to strengthen the outside cybersecurity capabilities.  We have done 65 assessments helping them understand the cybersecurity capabilities, implementing 13 CERTs, 13 national CERTs and now in progress of doing four more national CERTs, and improving one additional CERT that is already implemented, as well as going beyond that, with our cyber drills and helping to build collaborations among the CERTs so we done now 13 of those cyber drills.  We were this in Rwanda this year and with the participation of more than 100 countries.  So it's a bit of an experience here.

However, at the same time with our activities, it's only a dent in the needs, in the big, vast need that is necessary to be done.  We still have 90    you know, at least we count 91 CERTs, national CERTs that need to be implemented.  There's a lot of work for everyone and there's a lot of wide spots where if we don't fix them as we discussed in some other panels our security is at risk.  Again as discussed elsewhere, the cybersecurity specifics is that each of us is our own asset as our neighbor and as the weakest link because cyber attacks can have impacts for us from anywhere.

Again, I think collaboration, this    the collaboration is greatly important and some of us here also close links to GCU, global for unaimous for cyber expertise.  It was launched earlier this year, April this year in the Hague and specifically one of the CSIRTs is the maturity initiative, working together with the partners, the Netherlands and Microsoft and the American states to help various countries to    you know, together to make this more mature and more progressive.

So this is    so this is scope of the work, what's needed to be done.

Now, about the specific aspects, it's about the misconceptions and we fully agree that you can't throw CERT as was said, CERT will not solve everything.  There's a role for various parties there.  The CERTs is crime community.  There are other law enforcement judges.  The whole community needs to work together.  There's a    together and to make sure that cybersecurity levels.  The cybersecurity levels are achieved in the country.

At the same time, we shouldn't be naive, thinking that we can protect CERTs, national CERTs in the same shape or form as when it started, you have know, and more informal, more flexible collaborative environment.  You know, the times have changed not only for CERTs but generally for Internet and ICT system.  And, you know, for the good.  Everyone is now much more interested in this area because this area impacts so much more.  So naturally all the other stakeholders including law enforcement agencies e defense ministries and more and more are interested in that.

I think we should not be naive into thinking that we can remain as reliant on that.  So severals are getting more and more involved this process and one can, because they are linked to other stakeholders and other stakeholders use them, but sometimes these flexible    these flexible informal ties are much more difficult now to implement and we can see various initiatives.

There was discussion about Red Cross for cybersecurity, building on a CERT model and the CERT collaboration, whether it's something that could fly or not, there are these ideas that were floated.  I think building on it, but I think we should understand this will evolve and some new functions will be added and it's more about how we handle that and how we preserve the best of the CERTs rather than how we resist it.

Also, it's important    gathering the importance of the maturity of the environment.  The paper talks the maturity for the CERTs to be established, elements that are important.  And also what we preserved, actually starting to set up the CERT is sometimes    it acts as a good sided for security review and capabilities building.

So basically you start the project for the CERT and what are the other gaps and then they realize we need to have broader cybersecurity policies and we are now building CERT.  And so looking at the establishment of a CERT and building the CERT, not only in isolation as we are building that function but also as a trigger and a seed and kind of central sometimes for the broader    for starting and kick starting and the broader cybersecurity discussion and bringing    and, you know, being as like a first excuse in some countries bringing all the relevant stakeholders tort country and starting to build that trust that's needed for the areas.

And, again, reiterating what the paper says, just in that, human links and trust is very important so both national stakeholders, it would be the national stakeholders and internationally.  For example, the cyber drills is not just to test the capabilities but to bring people face to face.  They know people from one country.  Look, I have this problem.  How can I resolve it?  Oh, look this is happening.  I see this is happening in your networks?  Can you do something about it, even if it later on needs to be formalized.  I think that's also an important point.

Overall, I really commend had the IGF secretariat and the lead experts on this good paper and I think it starts very good discussions and hopefully it will lead to further good work, especially bringing all the relevant stakeholders to the table and making more dent in that area.  Thanks a lot.

>> CHRISTINE HOEPERS: Thank you, Thomas.  Thank you all the panelists.  I think we had very good feedback.  And we still have quite sometime.  We have more than 50 minutes now and I would like to open the discussion, open for comments, for questions, for    so I would really get to the point of the session that would be really an open microphone, if people would like to share their views on the paper or comment on anything that was talked here this morning in the panel.

So anyone would be the brave first one?

But you need to come    so I would ask for the people in the back, if there's a microphone for questions.  Yes, because there is no pole here in front.  Can you bring? 

There's one in the back.

>> AUDIENCE MEMBER: Oh, it's me?  My, name is Rabica, I work with an international nonprofit.  I'm with the digital defenders project and we do emergency response for the human rights offenders.  When I wrote this document    thanks.  I have written it now.  Overall the perspective is very much from the government and corporate side.  So what I'm really missing is like a text to human rights defenders, especially if I read like paragraph 43, where it says that there are regulatory clauses in the legislation and which allows CSIRTs to perform their work and access private data for the purpose of securing the networks.  There's a very thin line there that can be misused by oppressive Internet regimes.  I would like to address that and that might potentially endanger human rights offenders.

On the issue of trust, I think as long as there are companies involved in the CSIRTs, then there's a whole different drive.  Companies there are to make revenue and the human rights defending digital security experts we work with are, you know, really stemming for the human rights.

So as long as those companies are involved, I think there's    the trust is really, really difficult.  And then I'm missing some guiding principles.  Like, do the CSIRTs really align with the human rights declarations?  Can CSIRTs consultants for example, show themselves to Internet repressive governments?  This will actually counter effect human rights.

And then I'm missing a holistic approach, consequences of digital attacks like going in emotion well being, physical security.  So that was it.  Thank you.  It's not really a comment.

>> CHRISTINE HOEPERS: Does anyone on the panel want to comment?  I have a comment later.  Audrey?

>> AUDREY:  Can I just ask a question back?  What was the paragraph you citedy?  Thought you said 43, but I don't see that in 43.  I think maybe you are referencing for the network and information security directive that is pending in the EU.

>> AUDIENCE MEMBER: It's the European Commission's response to this    in mine it was 43, but maybe I have not the most recent   

>> AUDREY:  I think it's 42.

>> AUDIENCE MEMBER: Okay.  Sorry.

>> CHRISTINE HOEPERS: So I have here, the distribution from the European commission.  Okay.  Just to make sure.

>> AUDREY:  I have been involve in development of the NIS directive for many years and I think the intent here is to make sure that the parallel pieces of legislation in the EU, the general data protection directive and the network and the information security directive, well, the general data protection and the regulation, what will become a regulation when they finally adopt it and the network and the information security directive and the difference for those not very familiar with European law, a regulation is mandatory and it applies specifically across all Member States and a directive is a framework in which Member States can implement in different ways, as long as they can prove that they have achieved the intent there.

So the network and the information security directive is going to be a directive.  So it will be a framework.  And the general data protection regulation will be a regulation.  And so    and that regulation has been debated and ongoing for a very long time.  And the purpose here, I think, and maybe it's a little bit out of context, so it    that may be why it's causing some concern, is to ensure that the general data protection regulation and how it deals with process specification so it doesn't negatively affect CERTs to do malware analysis and share things like significant and other security related information that would help people protect their systems.

So they wanted to be clear about allowing CSIRTs to do the work around security.  I think we appreciate all the    I didn't quite    I will say I didn't quite understand the point about tension between corporations and human rights, that maybe we can follow up and you can explain more specifically what you mean there, but I also just think    I totally agree with many of the concerns you raised but I would say that the    the    again, the policy is    the policy issues, and judgment calls around human rights and speech related issues and beyond that and how to deal with certain regimes, I think it's    it would be very challenging to put that at the door steps of the CERTs to solve.

While we certainly have, you know    they may have    they may touch those issues, I think it's really not    it's really not the remit generally of what a CERT is supposed to do and the expertise doesn't usually sit there.

I'm not speaking for Christine because she has extensive expertise in many things.  I think preserving that community is really very technical and very operational and not polluting it with too much other judgment calls directly, I think you could pile so much on that it would    you know, it would really negatively impact their work.  So   

>> CHRISTINE HOEPERS: I would like to get my hat and take off the hat of the chair of the session.

These kind of comments is really comments we would like, we are welcoming and we want you to provide this feedback.  In the report of the last year, we focused more on what a CSIRT is and what a CSIRT does.  And from this perspective, we want to hear more and we would like to understand more.  And from your comment, I would just like to add that there is no organization that could actually make a statement in all the incident response fames around the world.  Because really these and the word "teams" it's really pretty loose because you have incident response teams that are inside an organization and you have incident response teams.  Like we are part of a not for profit organization in Brazil.  We are the national CERT but we are not tied to the government.  So there are many models and really each CERT serves a specific constituency.  So I would say that probably all CERTs that we work with, they actually really    they abide and respect human rights although they don't have a statement.  So I would say really for the technical community, and one of the things is really when we talk about information sharing, that is like we have to define it and when we are talking about    instead of talking about privacy and data protection, we actually share information based on    it's not really personal identification information, most of the time we are just changing information about new techniques, new attacks.  In the case of the CERTs that we share, we work more, we minimize the date that we share.  I think one of the things that Audrey made the point is the feedback that you were pointing    I don't know, maybe stating in the report that needs to take consideration into anonymization and into really what's the minimal data that you should collecting.

This is something we do no our daily operations and maybe that could be a feedback into the report to just make sure that helping privacy in a way that you are trying to see if someone is compromised and it has a way to get information it hinders the work.  We need to take into consideration that, but please feel free to talk to us.  We are delivering the final report in three weeks.

And we are going to get all the feedback from the session.  There's the mailing list and all the feedback.  So really we want this kind of feedback and we want to discussion back and forth, really to try to understand if there's something that we need    if there's something that is communication but it's    it's just a point.

So there's a question in front of here. 

>> AUDIENCE MEMBER: Yes, my name is Fabrice, I'm from Brazil.  I want to apologize because I'm new to making this type of document.  I have some comments that I would like to make, anyways, I will get back to you after that.

My comment is I really like what Christine mentioned about bringing up people from other areas to discuss things because I think this is one of the main points.  A lot of the misconception problems is is the lack of communication.  Maybe, for example, just giving an example, the CSIRT is just one actor of the whole process of incident response.

The difference between the CSIRTs and the other ones is that usually the CSIRTs are the one whose core business is to do that, right?  So we are 9 ones that are most interested in getting things solved and usually the ones that have more knowledge about how to deal with that, but we are not the only ones.  And so I think that this is one of them, one of the many things that we should try to work on is bringing the other actors of the process and talk to them, because maybe we also have misconceptions about their roles, right?  Maybe we expect them no do things that they are not the ones supposed to do.  And maybe there are things that nobody knows who is responsible for.

I can give you the example, for example, Internet fraud, when you have Phishing, right, I work as a private CSIRT.  We detect and we report to the ISP, and we expect them to solve the problem but some of the times they will just say, look, this is not my job.  So whose job is it to act upon that?  The police?  Maybe.  We don't know.  There are things we need no discuss and get to go and find out solutions that work for everybody, because we    again, we are the ones interested in solving the things.  So we have in our mind    in our minds ways of doing things that we know that would work but maybe it's not suitable for the other actors.  So I think this is one of the points that can contribute solving the problem the misconception and many other problems that we have in this area. 

>> CHRISTINE HOEPERS: Thank you.  Any comments from the panel?  Anyone?  Thomas? 

>> THOMAS:  I think it's not anything revolution.  I think this was discussed on BPF, it's not about whether the stakeholders.  We just need to sit everyone around the table.  That's what we see from the national practice and we go and we talk about CERTs.  We ask our other counter parts, the judges and critical infrastructure provider to bring everyone around the table and have our discussion but I think    you know, so you can trigger that from the CERT angle.  It's important to have a discussion about the CERT and that's not bad to discuss how BPF works.

>> CHRISTINE HOEPERS: Thank you.  I think there's a question from the back there.  Oh, you have the microphone.  Thank you very much. 

>> AUDIENCE MEMBER: Thank you very much. 

I wanted to add to the work of best practices forum.  The experience from Serbia, we did a local project on raising the capacities and awareness of cybersecurity in Serbia where we carefully tried to mop to keep people in different institutions and I'm talking about the government institutions and Internet service providers, telecoms and so on.  And probably a good point is that we managed to use the best practices document as a kind of starting ground for the group discussion.  So we basically kind after don'ted it and translated it into Serb    of adopted it and translated too into Serbian.  We shorten in a little bit but it was quite a useful documents most of them said as a background of understanding what the CERTs do, what is the role and how to organize it and so on.  It was held for discussion.  The main obstacle and that's maybe sharing the experience from Serbia.  It's on the way to the European Union but it's still a transition country with a lot of problems and kind of a firm governmental attempts to control things, is that the main obstacle was explain that simply, cybersecurity cannot work without trust and cooperation.  It's not something that you can impose from the top down, that as a Finnished colleagues from Serbia and the Israeli and the others that were in the project helping explains that there needs to be trust in order for the companies to share the information otherwise it doesn't work.

Our experience was that in all of these governmental institutions, well, at least in Serbia but I suppose in other countries as well, there are people that understand it and knows it works that way.  It's just that those people, including the Army security services and so on, are not high on    in this hierarchy in order to push the understanding of that but creating a group of people that are understanding different contributions and so on and making them work together on this, at least in certain cases seems to show results now.  It's a long process, but this kind of building community beyond the sectors and well, multistakeholder and the best possible meaning of that word is a good experience that we can share.

Thank you. 

>> CHRISTINE HOEPERS: Thank you very much for that input.  We had some input about Serbia in the report, but really hearing how the experience worked and putting people together, I think is very, very valuable.

Any other comments from anyone?  Questions?  The panel?  So there is one here in front. 

>> AUDIENCE MEMBER: Thank you, I'm Ian Creek from New Zealand.  I wanted to make a comment about trust, and public facing CSIRTs.  One of the most important things is trust of the security community.  It's one of the institutional things, when we are talking about institutions is butting a CSIRT inside a signals institution is usually a bad idea.  There's professional expertise crossover.  For me, New Zealand is a very small country.  I know a lot of the people who work inside our national cybersecurity center, they are top notch organization.  I would not tell them to a zero day.  Yeah, I think that's an important component of trust is not    you know, institutional trust but the community trust is really important. 

>> CHRISTINE HOEPERS: Just to comment that, this is very important, and this was one of the topics that were more discussed into the mailing list for people that were on the mailing list.  There are several people from several countries that have their CERTs either being created or moved to some intelligence areas that were raising questions and I think Wout wants to make a comment now.

>> WOUT DE NATRIS: I've got a question back because one of the questions in the document is the decision of whether to put it in an intelligence service or something to do with national intelligence.  Do you think that was a conscious decision of the New Zealand government to do so and did they oversee the consequences on trust?  That's one of the questions that we addressed and didn't get an answer on.  Was it intended or a deliberate choice they made with obviously consequences?  Could you comment?

>> AUDIENCE MEMBER: Yes, so New Zealand doesn't necessarily have a national CSIRT.  So the people inside our signals intelligence organization look after important government and critical and national infrastructure.  So I would say it's organically grown, based off professional skills.  So, you know, malware reversal, actually having    actually access to the information and network packet capture.

There's a lot of overlap and skills as opposed to a very conscience decision.  So they don't provide support to the private sector and having been in government previously, if you are not in the really important departments, it's incredibly hard to get ahold of them or get any useful advice.

So, yeah, I think it's    there's currently decisions going on around there and the    where it's locking us is a conscious decision to move and make sure that any national CSIRT is not inside the signals intelligence organization.  So I'm waiting for cabinet. 

>> CHRISTINE HOEPERS: Audrey.

>> AUDREY:  Just a point from the private sector.  There's been quite a debate in the United States overD. you know, private sector sharing information with the government, and it's, you know, with    in summary, basically, it's a nonstarter for the private sector to be sharing this information with signals intelligence agencies or with surveillance agencies and so there's been a very strong push back from the industry to ensure that the national CSIRT remains in a civilian agency responsible for protecting government and protecting citizens and not for conducting surveillance.  I think that's an important point. 

>> CHRISTINE HOEPERS: And adding to, that just a little for experience in Brazil, of course, it happened 20 years ago so the scenario was very different, but how CPR was created was actually in as many of you probably certificate this week.  In 1995, we had a process in Brazil to create the Brazil Internet, to be a multistakeholder body, to take on the issues of Internet and standards in the Internet, critical resources and not on regulation because the Internet is not regulated but on coordinating efforts.

And at that time, the first report that was asked was a report on how to move forward with cybersecurity.  At that time, it was not cyber and not Internet Governance.  All of those terms were not there yet but the first question was which structure could we have in Brazil because people are compromised and they are complaints from outside the country and they called for a neutral organization is op that could provide a neutral ground for a report for support for incident response and that it should be as independent as possible from government or private sector.

And as true independence is difficult, someone has to pay for, and someone has to do it until end.  That maintains CPR, about you we are a free service for the country and as the Internet Steering Committee is a multistakeholder organization, NS, NICBR, we are, in fact, seen as a neutral organization.

So this is how things evolved in Brazil and probably why we are still neutral when things were evolumeselfing.  I could not share if that is bad or not, but we see that more and more organizations ask our advice, ask for us to coordinate meetings among different sectors to try to solve security incidents.  And so we tried not to take sides and we tried to normalize information all the way.  I just wanted to share a point of view of a country that is    does not have.

But we have other teams with national responsibility in Brazil, one specifically for the government.  And having a team specifically for the government a a national team does not mean that we cannot have another team that's a last resort, but that was reflected last year in the report.  I think it's very interesting to have these discussions, especially because of privacy data protection.  So I think comments from Audrey for data protection are very interesting too.

So I would pass it to Thomas. 

>> Thomas:  Just adding to this thing about trust building and fully sometimes from my own experience because I was involved in my own country's in the national CERT.  We didn't have any mandate.  And actually, that helped because then we had to convince all the stakeholders to come and work with us.

So it seems like something is more difficult, and you would rather have a mandate and you can compel people to come, but if you compel people, they don't want to come and they come reluckantly.  But when you build the trust, then you need to discover what the community actually needs from you and where you can contribute and create the value.  And then through that you build the trust, which later on, even when it's formalized can become like the basis of trust is there and it's formalized the personal relationships and the people know who they talk to, and how it works.  They know how they together came to that point.  So just a point that sometimes, you know, these semi, you know, not very kind of maturity not the best solutions actually can laid to the better result and saying this is how we are doing.  This is the clarity.  Because then people get a little bit afraid of that. 

>> CHRISTINE HOEPERS: Thank you very much.  There's a comment again in front. 

>> AUDIENCE MEMBER: I just wanted to mention one thing that I saw in the report, in paragraph 36, that there's the question about how we engage other stakeholders and I think this is one of the difficulties that we have.  Again, because as I said, we are the ones that are    that want the problems to be solved, right?  How can we bring the ones that are not really interested in that?  And I do have a suggestion, you know.  The thing is that I think that sometimes we need to go there.  I think as my example, at my company, we wanted to get a better relationship with ISPs and hosting communities.  So we started doing some research about hosting events and so and go after them.  We condition expect them to come or all of a sudden become interested in that.

I know it's difficult, right and it's essentially because sometimes you don't have the resources and so and how to organize that, but we have to go there.  When you go, there you might get one person that is interested and can bring that person and bring you to event next time and talk about the topic and that way you can increase awareness and interest.  And especially taking the advantage that when we have that opportunity of being there and showing and talking to those people, at the end, we are living them a monetary award.  The main thing that people worry about, what do I get or what can I lose, right?

So we can bring that and show them that it is interesting for them and what they can get from their    this relationship, this better relationship with the CSIRTs and the better communication with that.

And then they can start understanding and we can have a better approach and show also that we want to help them, you know.  It's not    we are not one against the other, but we are looking toD. we are looking forward to working together.  So from our perspective, university using an example, instead complaining that the I. SPs or hosting providers would not answer our response, we tried to say what can we do to help you deal with this issue?  I think when we look forward to cooperation, it's always better to offer something before you ask, right?  So you can bring and see, look, let's see how we can do for you and maybe this is an approach. 

>> CHRISTINE HOEPERS: We have a comment from the panel.  Mr. Monkta, you want to make a comment?

>> Martin, Monkta:  Yes, I wanted to raise the issue about the government.  It's a big problem in our continent.  I think the interest for each other is very important.  And the report, I think highlights more the issue of our role of the different partners to build a CERT.

The other issue that's very interesting, is the regional collaboration.  And there is a lack of some example in developing country.  I think we have a good model in eastern African country.  They put a task for cybersecurity, since 2008 and there is a committee and they provide an annual report to the incidents in the region every year.  I think it is an example to follow for as a    as an African country.

There is    the issue of the protection of the citizens is very important.  I can give you one example.  One country requests us to help them to put in place a CERT.  When we went to this country, we would like to organize a meeting with the government, an ISP and the academia:  And the government, why you want to share my information?  Hmm?  When you go to this entity, we don't have a trust for the government.  We won't share our information.  The issue of trust is very important.  Some governments can use this information against their population or the private sector.  I think we can highlight this on this report, but it is a good and bad example, yeah.  There are bad example that we can highlight in the report and the    and the country can learn about this.  Thank you.

>> Going back to your comments, I think that could be a recommendation for all the best practice for    I can give you one example and the other one I assist    my Secretariat is involved in this.  I actually went to one of the meetings out of my own account to try and get the support from the Working Group and just because I was there, I was able to get all the valuable inputs because I had hours of time to discuss with people how important this work was, which they never heard of.

So in other words, I think you are completely right that if you want to engage other stakeholder communities, you have to be at those stakeholder communities.  But is that a possibility which is feasible for the IGF?  Yop but we can take that up as a form of recommendation for future work, that is something we can agree upon that is important to do so.  So please give some feedback on that. 

>> CHRISTINE HOEPERS: There is a comment here in the front.  Thank you. 

>> AUDIENCE MEMBER: Andy Poti can Wawa Technologies.  Are there incident response teams or ISPs that are not cooperating fully and deserving of trust? 

>> CHRISTINE HOEPERS: Just to clarify if you are asking if in the IGF, is there a process to engage the IS Ps.

>> AUDIENCE MEMBER: Is there a process to communicate to those looking for who they can trust about whether or not there are any incident response teams, CERTs, national or otherwise, or Internet service providers who do not fully cooperate and cannot be trusted? 

>> CHRISTINE HOEPERS: I would say that if you talked about the multistakeholder as the IGF, what we have is we have a PWG and we have FIRST, that they all talk to each other.  So FIRST brings together some response teams and Mark and there's a lot of overlapping in there.  And in those forums, they have some statistics and there is some informal.  This' not like a shaming of whose ISPs are not cooperative or who    what stakeholders but you can see by the roles of memberes and by the ones participating, the ones that are actually writing best practices and writing best practices and the way to move forward.  So, like, yesterday in the comments that Thomas made about the need to bring best practice forums together is because this has been a lot of talk that a lot of the discussion is happening in PIM and here, and they are the same, maybe way forward to have the best practices, on how to have a more secure and reliable internet.  But these forums, they will not be replaced, they are complimenting here in the work, in the IGF and so there are forums that from my perspective are already dealing with that and that are working and that you can find which are the responsible ones.

But sometimes, especially one of the challenges we identified last year and is a challenge that is very true to Brazil and to the countries of Latin America that I know, is that most ISPs and most people, they don't have money to travel and they don't have money to join the forums and I believe that might be true also for Africa.

So these forums, they also have to reach to those countries to see if they are reliable or not hike in the case of Brazil, we try to be kind of an arm and make the conversation easier even if the people can not participate because at the end you cannot just build trust by saying that we are a team or build trust by an NDA or an MOU.  Trust is something that you build by working together.  You can't just sign a document and bind to something and magically you get trust.  This is a consensus that comes from all the communities.

I don't know if that addresses your question, if that was what    or if anyone else has hey comment.  I see some people are talking.  Audrey?

>> Audrey:  I think I know what your question is, Andy.  I think a lot of the trust systems, they are    you have to demonstrate capability to enter the club and that's certainly true for FIRST is more on the incident response side and ISP, there's INOCDBA which is a communication mechanism nor network operators and the standard    like as an individual, not as a company, but individually, you have to be personally vouched for by a set of people who have been on the system for so much time and I don't know the exact par ammeters.  There's a lot more about white listing people instead of black listing people in type of any formal way.  It seems like the black listing is more an off the record, off line, don't talk to that person, do talk to that person that type of thing.

>> AUDIENCE MEMBER: It seems like we may want to consider whether there are certain ISPs that don't cooperate and basically helping to hide malicious activity that continues and if we could perhaps get the global community to consider at least blocking traffic from those Internet service providers envelope they act in accordance with the keeps of frameworks that Audrey talked about it, might help us not just talk about trust and earn trust but help to make the environment safer. 

>> CHRISTINE HOEPERS: Just to make a comment on that.  Our person in CERT PR, we don't encourage blocking too much and especially because a lot of times the fact that you couldn't get a response doesn't mean that they are not responsive.  They just don't understand.  They don't know who is reporting.  A lot of times what we are seeing happen in several countries is that people running the network, they don't have an understanding of English.  Sometimes the complaints are too poor and they people don't understand what's going on.  And then instead of having an open and inclusive Internet, you are patchy, blocked Internet.

Like in Brazil.  If we were sending a lot of Spam, they block the whole country and that's not helpful.  We have been on that end of the line.  I think it's important to discuss how to not have too many problems.  There, of course, are bulletproof ISPs out there put it's not really trying to make a huge black list that you will say this I. SP automatically is harboring criminals.  From our own experience, most of the time, they did not understand that that abuse was happening.  They did not understand that a specific client was actually abusing and they just didn't know better.  And this is something we were discussing yesterday at the Spam best practice forum.  We were discussing a lot about how to improve and to have more security of the ecosystem discussion and I think what we are discussing today kind of highlights that.  Maybe we need to bring everybody under one umbrella.  But I would like to move.  Any other questions, comments?  Comments back and forth?  Comments from the panel?  Questions from the panel to the audience? 

There is a comment.

>> AUDIENCE MEMBER: So one of the things that the global cyberrer security at Oxford does, we look at capacity in a very, very broad sense, ranging from the policy to the technical.  And whenever    and we have reviewed about ten countries up to this point.  And one of the things once we get to incident response, we speak about multi stakeholders in each country.  We are not just talking about the CERT about the CERT role but civil society about the CERT's role and private sector about the CERT's role.  One of the things we have come to understand is that one very critical measure of effectiveness of that organization is how it's able to utilize its connections in order to receive and disseminate information and if it doesn't have that either mandate or it doesn't have that ability to communicate, then it's not able to achieve its purpose.

But at the same time, you also have to have the technical capacity to do its incident response function.  And so what we are confronted with is an organization that wants to have the technical capacity but at the same time needs to figure out how to create and build and develop this network of relationships so that it can have both trust in the delivery of information and trust in it network of actors and I think that that's something that in the setup of a CERT, I think ITU does a great job of that, is making sure that both of those things are there so that you have the capacity from the start.

And I wanted to comment, one last thing that Thomas brought up, it's really interesting on how the CERT does start the broader cybersecurity discussion.  A lot of times when we have gone to a country we have seen that the CERT is one of the first things that's been set up because it's seen as the sort of first line of defense in cybersecurity.

And then so making sure that that context is, there but also making sure that it's not just seen as the solution, that    that it's not just the only cybersecurity aspect.  Making that transition is something that I think a lot of countries, are looking at right now, what is that CERT's role in that broader sphere?

>> CHRISTINE HOEPERS: Thank you very much.  Any other comments?  Questions?  Some people are afraid whether they want to talk or not.  It's a very free panel here.  So any other comments?  No?

I would point out some of the interesting comments.  This is from our perspective.  I think the point you made about a lot of the maturity and the capability being from the ability to communicate and technical capacity.  So really the trust as built in this community, I think from my experience over the years is not only that a team will not divulge confidential information or will do something wrong, but it's trust in its technical capability and it's trust that actually it doesn't matter how big or formal it is, actually there's a consistency in how it deals with information and there's a consistency on the way that it actually provides support.  It doesn't matter what the range of services that you do.  So I think in that respect, usually what we see is that the most effective teams are not necessarily the ones that have legislation or mandates or other stuff, but the ones that actually can keep a consistent support to its constituency and it doesn't matter the way it goes.  I think it's very interesting the comment from Thomas that sometimes having to go to that work to get the buy in your constituency and have to get the trust and have some time to build that trust, and to gather their buy in into the process makes trusting the group more.

So that is another experience that is if you involve everyone into creating your team might be    in creating a national capability.  It might be one of the ways to build trust from the start because you have everyone involved into the creation of that structure and you have everyone kind of knowing what they expect because they heard from here today some comments that kind of touch on the expectations of what people have of what a CERT is.  And it's throwing a CERT in everything as Switzerland said, that it's really the problems out there and so let's create a CERT.  It will solve everything.  So I think one of the take outs that I saw today is that it's a key component but cannot be seen as the solution or as the actor that will solve all the problems.

And as I was saying with Audrey's comment, I think the other one to improve on the privacy aspect and    it's one that we are learning in Brazil too, that it's much easier too talk about data protection and how important that is, and from our perspective, we always try to talk with the sectors in Brazil and even Latin America, you are trying to build a community in the region to consider carefully.  Don't collect it.

It's not just because you can collect some information that you should do it.  So consider carefully what is the data that you need and what level, you how should anonymize.  I think these were some of the points that were made and probably address some of the concerns that was what's the gathering?  What is the information?  How are you amassing data?  I think it is a huge responsible.

If you start having a lot of data, it will be a target either of abuse by criminals or maybe abused by others.  So I think it's just summing up some of the ideas here.

Wout, do you have any comments? 

Yeah, I was thinking if nobody in the back is waving, do we have any remote comments?  Well, Wout has a comment.

Yes, I finished my comment. 

We are just trying to figure out who would thank you all.  I would really like to thank you very much for being in this session, for providing this feeback, and this and more is the kind of feedback that we want.  As we said, we would like to receive you back.  So there's still time for anyone here, if you want to talk to us now, talk to us via email, so join the discussion.  We will still decide how it goes but we have    we are going to have the feedback today and then move to the final draft.  So if anyone would like to provide more feedback or any other comments, please feel free.  I would like to thank, Wout very much, because he's the one putting all the text together and getting all the ideas that we are throwing in an unstructured way in the discussion in the mailing list and a structured document and helping us to get our ideas around and really improving that.  So I thank you all very much and I thank you the coleads I named at the beginning of session because they all helped a lot with bringing people to the discussion, raising awareness with stakeholders and providing ideas.

And I thank very much all the panelists here that were some people that we provoked to be in the panel and to provide some feedback from outside the CSIRT pool and the CSIRT technical people.  So thank you very much and have a great etch this week.  Oh, and Wout has a final comment. 

>> WOUT DE NATRIS: Always.  No, I would like to thank the lead expert, Maarten van Horenbeeck, who is not here but is joining us remotely, for a tremendous amount of work.  Chris teach also, but it also goes for you Yuri and Gilbert.

My final comment is not only thanking them but I have been on this process for two years and what I would like to reiterate is that this went from CSIRT looking at themselves saying, how hard life has become in the modern world, to actually really addressing the topics that are facing them at this point in time, and that happened within a period of one year and three to four months and actually starting to reach out in ways that we did not even perceive when we started at the beginning of August of last year, working towards the IGF in 2014.

I think if the value of a best practice forum is shown, it is in this part of the process where people are starting to reinvent the thoughts about themselves and that's extremely valuable and shows the best potential outcome that this IGF could    this best practice forum could actually present to the IGF.  So for that, I want to thank the lead experts and all the people behind that have been give event the case studies this year that showed the progress.  So for that, I thank you. 

(Applause).